I am trying to set up authentication in activemq artemis using LDAP. Based on instructions found on the Internet, I did the configuration only in the login.config file. I've heard that for authentication you need to add the appropriate entries to broker.xml, but I wanted to test ldap authentication for the time being, so for the time being I only edited login.config.
And now when I specify a random user that does not exist in ldap, I get this error in the activemq console:
2023-10-18 23:52:51,318 WARN [io.hawt.system.Authenticator] Login failed due to: User RandomUser not found in LDAP.
When I enter the correct user name, but with the wrong password, I get this message in the activemq console:
2023-10-18 22:39:34,771 WARN [io.hawt.system.Authenticator] Login failed due to: Password does not match for user: User
When I enter the correct user name and password, no message appears in the activemq console. There is no error, nor is there any information about successful login. Only on the GUI in the browser there is an error in red about an incorrect login or password, but there is no such information in the console.
Based on these observations, I conclude that it correctly detects me users from ldap, correctly authenticates itself, because in case of a bad password I get this message. However, for some reason, after entering the correct data, it does not want to let me through.
Let me start by describing my configuration.
LDAP User Accounts:
- OU=Accounts (OU Accounts)
- OU=A (OU A)
- CN=User1 (USER 1)
- CN=User2 (USER 2)
- OU=B (OU B)
- CN=User3 (USER 3)
I have individual users assigned to organizational unit
LDAP Groups:
Resource groups (ACTIVEMQ_RESOURCEGROUP) and within them, account groups, to which accounts accounts (User1, User2, User3 etc.) belong.
login.config file:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://ldap1.org.net.example.com:389 ldap://ldap2.org.net.example.com:389"
connectionUsername="cn=ldap_user,ou=ACTIVEMQ,ou=Service Accounts,dc=org,dc=net,dc=example,dc=com"
connectionPassword="ldap_password"
connectionProtocol=s
connectionTimeout="5000"
authentication=simple
userBase="ou=Accounts,dc=org,dc=net,dc=example,dc=com"
userSearchMatching="(sAMAccountName={0})"
userSearchSubtree=true
readTimeout="5000"
roleBase="ou=Resource Groups,dc=org,dc=net,dc=example,dc=com"
roleName=ResourceGroup
roleSearchMatching="(cn=ACTIVEMQ_RESOURCEGROUP*)"
roleSearchSubtree=true
;
};
I managed to solve this problem!
My working configuration: login.config:
--
--
--
roleBase="ou=Resource Groups"
roleName="cn"
roleSearchSubtree=true
roleSearchMatching="(&(objectClass=group)(cn=<<example ABC>>)(member:1.2.840.113556.1.4.1941:=cn={0}))"
--
--
--
LDAP User Accounts:
- OU=Resource Groups
- CN = ABC
///////////////////////////
- OU=Accounts (OU Accounts)
- OU=A (OU A)
- CN=User1 (USER 1)
- CN=User2 (USER 2)
- OU=B (OU B)
- CN=User3 (USER 3)
Each account that is in account group A and B, which belong to resource group ABC, will receive the appropriate permissions